Disable user sign-in for an application

There might be situations while configuring or managing an application where you don't want tokens to be issued for an application. Or, you might want to block an application that you don't want your employees to try to access. To block user access to an application, you can disable user sign-in for the application, which prevents all tokens from being issued for that application.

In this article, you learn how to prevent users from signing in to an application in Microsoft Entra ID through both the Microsoft Entra admin center and PowerShell. If you're looking for how to block specific users from accessing an application, use user or group assignment.

Prerequisites

To disable user sign-in, you need:

• A Microsoft Entra user account. If you don't already have one, you can Create an account for free.
• One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

Disable user sign-in using the Microsoft Entra admin center

Tip

Steps in this article might vary slightly based on the portal you start from.

1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
2. Browse to Identity > Applications > Enterprise applications > All applications.
3. Search for the application you want to disable a user from signing in, and select the application.
4. Select Properties.
5. Select No for Enabled for users to sign-in?.
6. Select Save.

Disable user sign-in using Azure AD PowerShell

You might know the AppId of an app that doesn't appear on the Enterprise apps list. For example, if you delete the app or the service principal isn't yet created because Microsoft preauthorizes it. You can manually create the service principal for the app and then disable it by using the following Azure AD PowerShell cmdlet.

Ensure you've installed the Azure AD PowerShell module (use the command Install-Module -Name AzureAD). In case you're prompted to install a NuGet module or the new Azure AD PowerShell V2 module, type Y and press ENTER. You need to sign in as at least a Cloud Application Administrator.

# Connect to Azure AD PowerShell
Connect-AzureAD -Scopes

# The AppId of the app to be disabled
$appId = "{AppId}"

# Check if a service principal already exists for the app
$servicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"
if ($servicePrincipal) {
    # Service principal exists already, disable it
    Set-AzureADServicePrincipal -ObjectId $servicePrincipal.ObjectId -AccountEnabled $false
} else {
    # Service principal does not yet exist, create it and disable it at the same time
    $servicePrincipal = New-AzureADServicePrincipal -AppId $appId -AccountEnabled $false
}

Disable user sign-in using Microsoft Graph PowerShell

You might know the AppId of an app that doesn't appear on the Enterprise apps list. For example, if you delete the app or the service principal isn't yet created due to the app because Microsoft preauthorizes it. You can manually create the service principal for the app and then disable it by using the following Microsoft Graph PowerShell cmdlet.

Ensure you install the Microsoft Graph module (use the command Install-Module Microsoft.Graph). You need to sign in as at least a Cloud Application Administrator.

# Connect to Microsoft Graph PowerShell
Connect-MgGraph -Scopes "Application.ReadWrite.All"

# The AppId of the app to be disabled  
$appId = "{AppId}"  

# Check if a service principal already exists for the app 
$servicePrincipal = Get-MgServicePrincipal -Filter "appId eq '$appId'"  

# If Service principal exists already, disable it , else, create it and disable it at the same time 
if ($servicePrincipal) { Update-MgServicePrincipal -ServicePrincipalId $servicePrincipal.Id -AccountEnabled:$false }  

else {  $servicePrincipal = New-MgServicePrincipal -AppId $appId –AccountEnabled:$false } 

Disable user sign-in using Microsoft Graph API

You might know the AppId of an app that doesn't appear on the Enterprise apps list. For example, if you delete the app or the service principal isn't yet created due to the app because Microsoft preauthorizes it. You can manually create the service principal for the app and then disable it by using the following Microsoft Graph call.

To disable sign-in to an application, sign in to Graph Explorer as at least a Cloud Application Administrator.

You need to consent to the Application.ReadWrite.All permission.

Run the following query to disable user sign-in to an application.

PATCH https://graph.microsoft.com/v1.0/servicePrincipals/2a8f9e7a-af01-413a-9592-c32ec0e5c1a7

Content-type: application/json

{
    "accountEnabled": false
}

Next steps

• Remove a user or group assignment from an enterprise app